3 Installation d’un serveur Kerberos

# 3 Installation d’un serveur Kerberos ```shell epsi2@ubuntu:~$ hostname -f ubuntu epsi2@ubuntu:~$ hostname ubuntu.epsi.fr hostname: you must be root to change the host name epsi2@ubuntu:~$ sudo su [sudo] password for epsi2: root@ubuntu:/home/epsi2# hostname ubuntu.epsi.fr root@ubuntu:/home/epsi2# hostname -f ubuntu.epsi.fr root@ubuntu:/home/epsi2# ping ubuntu.epsi.fr PING ubuntu.epsi.fr (172.16.59.131) 56(84) bytes of data. 64 bytes from ubuntu.epsi.fr (172.16.59.131): icmp_seq=1 ttl=64 time=0.022 ms 64 bytes from ubuntu.epsi.fr (172.16.59.131): icmp_seq=2 ttl=64 time=0.032 ms ^C --- ubuntu.epsi.fr ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.022/0.027/0.032/0.005 ms ``` ## 3.1 Les paquets Debian ```shell root@ubuntu:/home/epsi2# apt install krb5-kdc krb5-admin-server krb5-config ``` ![kerberos1](https://i.imgur.com/zvv2VdU.png) ![kerberos2](https://i.imgur.com/mxcvWJq.png) ![kerberos3](https://i.imgur.com/ewJLIDE.png) ```shell root@ubuntu:/home/epsi2# krb5_newrealm This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'EPSI.FR', master key name 'K/M@EPSI.FR' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program. Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers. Kerberos admin principals usually belong to a single user and end in /admin. For example, if jruser is a Kerberos administrator, then in addition to the normal jruser principal, a jruser/admin principal should be created. Don't forget to set up DNS information so your clients can find your KDC and admin servers. Doing so is documented in the administration guide. ``` ## 3.2 Configuration du serveur Kerberos ```shell root@ubuntu:/home/epsi2# vi /etc/krb5kdc/kadm5.acl ``` ``` # This file Is the access control list for krb5 administration. # When this file is edited run service krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: */admin * ``` ```shell root@ubuntu:/home/epsi2# systemctl status krb5-kdc.service ● krb5-kdc.service - Kerberos 5 Key Distribution Center Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor p> Active: active (running) since Fri 2021-04-30 05:31:41 PDT; 5min ago Process: 42770 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAE> Main PID: 42771 (krb5kdc) Tasks: 1 (limit: 4618) Memory: 1.6M CGroup: /system.slice/krb5-kdc.service └─42771 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid avril 30 05:31:41 ubuntu.epsi.fr krb5kdc[42770]: Setting pktinfo on socket 0> avril 30 05:31:41 ubuntu.epsi.fr krb5kdc[42770]: Setting up UDP socket for a> avril 30 05:31:41 ubuntu.epsi.fr krb5kdc[42770]: setsockopt(12,IPV6_V6ONLY,1> avril 30 05:31:41 ubuntu.epsi.fr krb5kdc[42770]: Setting pktinfo on socket :> avril 30 05:31:41 ubuntu.epsi.fr krb5kdc[42770]: Setting up TCP socket for a> avril 30 05:31:41 ubuntu.epsi.fr krb5kdc[42770]: Setting up TCP socket for a> avril 30 05:31:41 ubuntu.epsi.fr krb5kdc[42770]: setsockopt(14,IPV6_V6ONLY,1> avril 30 05:31:41 ubuntu.epsi.fr krb5kdc[42770]: set up 6 sockets avril 30 05:31:41 ubuntu.epsi.fr krb5kdc[42771]: commencing operation avril 30 05:31:41 ubuntu.epsi.fr systemd[1]: Started Kerberos 5 Key Distribu> lines 1-20/20 (END) ``` ```shell root@ubuntu:/home/epsi2# cat /etc/krb5.conf [libdefaults] default_realm = EPSI.FR # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # The only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true [realms] EPSI.FR = { kdc = ubuntu.epsi.fr admin_server = ubuntu.epsi.fr } ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } CSAIL.MIT.EDU = { admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } ANDREW.CMU.EDU = { admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos-1.srv.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu kdc = kerberos-3.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA ``` ## 3.3 Création des comptes utilisateurs ``` shell root@ubuntu:/home/epsi2# apt install krb5-user ``` ```shell root@ubuntu:/home/epsi2# kadmin.local Authenticating as principal root/admin@EPSI.FR with password. ``` ```shell kadmin.local: addprinc root/admin WARNING: no policy specified for root/admin@EPSI.FR; defaulting to no policy Enter password for principal "root/admin@EPSI.FR": Re-enter password for principal "root/admin@EPSI.FR": Principal "root/admin@EPSI.FR" created. ``` ```shell kadmin.local: addprinc pafpsdnc WARNING: no policy specified for pafpsdnc@EPSI.FR; defaulting to no policy Enter password for principal "pafpsdnc@EPSI.FR": Re-enter password for principal "pafpsdnc@EPSI.FR": Principal "pafpsdnc@EPSI.FR" created. ``` ```shell kadmin.local: ktadd -norandkey pafpsdnc Entry for principal pafpsdnc with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal pafpsdnc with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. ``` ## 3.4 Test de bon fonctionnement ```shell kadmin.local: list_principals K/M@EPSI.FR kadmin/admin@EPSI.FR kadmin/changepw@EPSI.FR kadmin/ubuntu.epsi.fr@EPSI.FR kiprop/ubuntu.epsi.fr@EPSI.FR krbtgt/EPSI.FR@EPSI.FR pafpsdnc@EPSI.FR root/admin@EPSI.FR ``` ```shell root@ubuntu:/home/epsi2# kinit pafpsdnc@EPSI.FR Password for pafpsdnc@EPSI.FR: ``` ```shell root@ubuntu:/home/epsi2# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: pafpsdnc@EPSI.FR Valid starting Expires Service principal 30/04/2021 05:57:15 30/04/2021 15:57:15 krbtgt/EPSI.FR@EPSI.FR renew until 01/05/2021 05:57:11 ``` ```shell root@ubuntu:/home/epsi2# kadmin Authenticating as principal pafpsdnc/admin@EPSI.FR with password. kadmin: Client 'pafpsdnc/admin@EPSI.FR' not found in Kerberos database while initializing kadmin interface ``` `kadmin` ne fonctionne pas car on essaye d'utiliser l'utilisateur `pafpsdnc` car nous venons de faire un `kinit` avec celui-ci juste avant. Mais celui-ci n'est pas administrateur (pafpsdnc/admin n'existe pas mais pafpsdnc existe !) d'où l'erreur. ```shell root@ubuntu:/home/epsi2# kadmin.local Authenticating as principal pafpsdnc/admin@EPSI.FR with password. kadmin.local: ``` Kadmin.local n'utilise pas l'authentification Kerberos et n'utilise donc pas la configuration limitant la connexion aux utilisateurs contenant "/admin" présente dans le fichier : /etc/krb5kdc/kadm5.acl. ```shell root@ubuntu:/home/epsi2# kdestroy -p pafpsdnc root@ubuntu:/home/epsi2# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) ``` ```shell root@ubuntu:/home/epsi2# kadmin Authenticating as principal root/admin@EPSI.FR with password. Password for root/admin@EPSI.FR: kadmin: ``` Ayant supprimé le ticket de l'utilisateur `pafpsdnc` avec `kdestroy`, `kadmin` utilise à nouveau `root/admin` qui lui existe bien. ```shell root@ubuntu:/home/epsi2# ktutil ktutil: addent -password -p pafpsdnc@EPSI.FR -k 1 -e aes256-cts Password for pafpsdnc@EPSI.FR: ktutil: wkt pafpsdnc.keytab ktutil: quit root@ubuntu:/home/epsi2# kinit pafpsdnc@EPSI.FR -k -t pafpsdnc.keytab ``` ```shell root@ubuntu:/home/epsi2# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: pafpsdnc@EPSI.FR Valid starting Expires Service principal 30/04/2021 06:10:01 30/04/2021 16:10:01 krbtgt/EPSI.FR@EPSI.FR renew until 01/05/2021 06:10:01 ``` ```shell root@ubuntu:/home/epsi2# klist -k pafpsdnc.keytab Keytab name: FILE:pafpsdnc.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 pafpsdnc@EPSI.FR root@ubuntu:/home/epsi2# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 pafpsdnc@EPSI.FR 1 pafpsdnc@EPSI.FR ``` ```shell root@ubuntu:/home/epsi2# kdestroy -p pafpsdnc root@ubuntu:/home/epsi2# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) ``` ```shell root@ubuntu:/home/epsi2# kpasswd pafpsdnc Password for pafpsdnc@EPSI.FR: Enter new password: Enter it again: Password changed. ``` ```shell root@ubuntu:/home/epsi2# kinit pafpsdnc -k -t pafpsdnc.keytab kinit: Preauthentication failed while getting initial credentials ``` Ayant changé le mot de passe de l'utilisateur `pafpsdnc`, la clé généré auparavant dans `pafpsdnc.keytab` n'est plus effective, il faut la regérnérer avec ktadd ```shell root@ubuntu:/home/epsi2# kadmin.local Authenticating as principal root/admin@EPSI.FR with password. kadmin.local: ktadd -norandkey pafpsdnc Entry for principal pafpsdnc with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal pafpsdnc with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. ``` ```shell root@ubuntu:/home/epsi2# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 pafpsdnc@EPSI.FR 1 pafpsdnc@EPSI.FR 2 pafpsdnc@EPSI.FR 2 pafpsdnc@EPSI.FR ``` ```shell root@ubuntu:/home/epsi2# kinit pafpsdnc -k -t pafpsdnc.keytab ``` ```shell root@ubuntu:/home/epsi2# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: pafpsdnc@EPSI.FR Valid starting Expires Service principal 30/04/2021 07:08:36 30/04/2021 17:08:36 krbtgt/EPSI.FR@EPSI.FR renew until 01/05/2021 07:08:36 ``` On peut déduire de ces étapes que l'on peut, avec kerberos, modifier les clés d'authentification sans avoir besoin de renseigner le nouveau mot de passe de l'utilisateur. Ce protocole éloigne les mots de passe des réseaux non sécurisés à tout moment, même pendant la vérification de l'utilisateur. Pendant tout le processus de vérification, un mot de passe en texte brut n'atteint jamais le KDC ou le serveur de service. # 4 Installation du serveur Apache ## 4.1 Installation des paquets ```shell epsi3@ubuntu:~$ sudo apt install apache2 ``` ```shell epsi3@ubuntu:~$ cat /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet ``` ```shell epsi3@ubuntu:~$ systemctl status apache2 ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2021-04-30 07:42:19 PDT; 7min ago Docs: https://httpd.apache.org/docs/2.4/ Main PID: 7587 (apache2) Tasks: 55 (limit: 4618) Memory: 6.0M CGroup: /system.slice/apache2.service ├─7587 /usr/sbin/apache2 -k start ├─7588 /usr/sbin/apache2 -k start └─7589 /usr/sbin/apache2 -k start ``` ## 4.2 Addition du module PHP ```shell epsi3@ubuntu:~$ sudo apt install libapache2-mod-php ``` ```shell epsi3@ubuntu:~$ sudo -s root@ubuntu:/home/epsi3# echo "<?php phpinfo() ?>" > /var/www/html/index.php root@ubuntu:/home/epsi3# cat /var/www/html/index.php <?php phpinfo() ?> ``` ## 4.3 Addition du module Kerberos ```shell epsi3@ubuntu:~$ sudo apt install libapache2-mod-auth-kerb ``` ![kerberos1](https://i.imgur.com/zvv2VdU.png) ![kerberos2](https://i.imgur.com/mxcvWJq.png) ![kerberos3](https://i.imgur.com/ewJLIDE.png) # 5 Utilisation de Kerberos avec Apache ```shell ``` ## 5.1 Configuration de l’authentification Kerberos ```shell root@ubuntu:/home/epsi2# kadmin.local -q "addprinc -randkey HTTP/www.epsi.fr"Authenticating as principal root/admin@EPSI.FR with password. WARNING: no policy specified for HTTP/www.epsi.fr@EPSI.FR; defaulting to no policy Principal "HTTP/www.epsi.fr@EPSI.FR" created. root@ubuntu:/home/epsi2# kadmin.local -q "ktadd -k /root/http.keytab HTTP/www.epsi.fr" Authenticating as principal root/admin@EPSI.FR with password. Entry for principal HTTP/www.epsi.fr with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/http.keytab. Entry for principal HTTP/www.epsi.fr with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/http.keytab. ``` ```shell epsi3@ubuntu:~$ sudo cp ~/Downloads/http.keytab /etc/apache2/http.keytab ``` ```shell epsi3@ubuntu:~$ sudo chown www-data /etc/apache2/http.keytab epsi3@ubuntu:~$ ll /etc/apache2/http.keytab -rw-r--r-- 1 www-data root 152 avril 30 08:26 /etc/apache2/http.keytab ``` ```shell root@ubuntu:/home/epsi3# apt install krb5-user ``` ```shell root@ubuntu:/home/epsi3# kinit HTTP/www.epsi.fr@EPSI.FR -k -t /etc/apache2/http.keytab ``` ![](https://i.imgur.com/QHSpuL6.png) # Conclusion On constate qu'avec Kerberos il nous est possible de gérer les utilisateurs de façon centralisée, il nous permet ensuite de generer des tickets pour les utilisateurs, ces tickets sont en quelque sorte des cartes d'identité et possède des propriétés comme un temps d'expiration. Cette mécanique de ticket permet de limiter l'échange d'identifiant tel que le mot de passe. Néanmoins ces tickets sont conservés côté client, si ces derniers ne sont pas localisés dans un emplacement sécurisé il est possible de les recuperer et d'usurper l'identité des utilisateurs. De ce que nous avons compris Kerberos est un outil très sécurisé mais il s'appuie sur la sécurité des différentes machines clients et serveurs, si l'une d'entre elle est individuellement piratée il est alors possible de récuperer ces tickets. Cela n'empeche qu'il limite grandement l'échange d'identifiant il devient donc difficile de pirater le système.